President Trump recently announced The Stargate Project, a $500 billion private investment in new data centers. The project’s plans are in development, but absent federal requirements, protection from certain critical threats rests upon the discretion of the developers.

Emerging technologies such as AI that require vast computational power are driving demand for new data centers. The Stargate deal reflects that demand, securing non-federal funding for 20 new data centers in Texas to power AI technology.

That’s not to say data center operators don’t already prepare for contingencies. But when security failures could pose such dramatic consequences for the country and the world, it’s worth taking every step possible to prevent those failures.

The threats faced by data centers include both malign cyber activity and conventional kinetic attacks against infrastructure. However, data centers are also vulnerable to geomagnetic disturbance events and electromagnetic pulse attacks.

>>> The U.S., Not China, Should Take the Lead on AI

A natural geomagnetic disturbance event is the unintentional, uncontrollable ejection of charged material from the sun. In contrast, an electromagnetic pulse attack is an intentional attack via a specialized conventional munition, high-altitude nuclear detonation, or a directed beam from a non-nuclear energy device.

Without security protections, either of these events would shut down and wipe out all electronics, power systems and information systems in its path.

Currently, there are over 5,000 data centers in the U.S., and the National Telecommunications and Information Administration estimates that demand for these centers will grow 9 percent annually through 2030. By that projection, the U.S. will have over 9,000 data centers by 2030—all of which will be vulnerable to geomagnetic disturbances and electromagnetic pulse attacks.

In FY 2024, Congress added the Federal Data Center Enhancement Act to its NDAA. This act directed the General Services Administration to establish minimum requirements for new data centers, including mandated protections against power failures, physical intrusions, natural disasters and information security invasions.

This act also allows the administrator to impose “any other requirements” he may deem appropriate. However, this provides no guarantee that the administrator will require protection against such events.

By amending the text of this act to include “protections against electromagnetic pulse attacks and geomagnetic disturbance and specific hardening standards,” Congress can ensure that all new data centers will be equipped with the necessary protections.

>>> The U.S. Shouldn’t Go the Way of Europe on AI

The harder, costlier sell is convincing Congress to retrofit existing data centers to protect them from such attacks. But given the national security concerns involved, Congress should seriously consider providing funding for these protections.  

According to congressional reports compiled from fiscal 2001 to fiscal 2020, electromagnetic pulse events pose an existential threat to critical infrastructure in the U.S. In fiscal 2020, Congress directed the Department of Homeland Security to develop technologies to enhance resilience and protect critical infrastructure from such attacks. At the same time, it directed the Federal Emergency Management Agency to coordinate response and recovery plans for such attacks.

In a 2022 report, Homeland Security laid out precisely what data centers and other critical infrastructure need to be protected.

But despite all this research, Congress has so far failed to act decisively to protect America’s data centers. It’s unclear how many existing data centers are hardened against electromagnetic pulses and geomagnetic events, but reports indicate that most are not.

The 2025 National Defense Authorization Act included several provisions related to advancing emerging technologies but failed to mention data centers.